1/* $NetBSD: local.c,v 1.2 2017/02/14 01:16:45 christos Exp $ */
2
3/*++
4/* NAME
5/* local 8
6/* SUMMARY
7/* Postfix local mail delivery
8/* SYNOPSIS
9/* \fBlocal\fR [generic Postfix daemon options]
10/* DESCRIPTION
11/* The \fBlocal\fR(8) daemon processes delivery requests from the
12/* Postfix queue manager to deliver mail to local recipients.
13/* Each delivery request specifies a queue file, a sender address,
14/* a domain or host to deliver to, and one or more recipients.
15/* This program expects to be run from the \fBmaster\fR(8) process
16/* manager.
17/*
18/* The \fBlocal\fR(8) daemon updates queue files and marks recipients
19/* as finished, or it informs the queue manager that delivery should
20/* be tried again at a later time. Delivery status reports are sent
21/* to the \fBbounce\fR(8), \fBdefer\fR(8) or \fBtrace\fR(8) daemon as
22/* appropriate.
23/* CASE FOLDING
24/* .ad
25/* .fi
26/* All delivery decisions are made using the bare recipient
27/* name (i.e. the address localpart), folded to lower case.
28/* See also under ADDRESS EXTENSION below for a few exceptions.
29/* SYSTEM-WIDE AND USER-LEVEL ALIASING
30/* .ad
31/* .fi
32/* The system administrator can set up one or more system-wide
33/* \fBsendmail\fR-style alias databases.
34/* Users can have \fBsendmail\fR-style ~/.\fBforward\fR files.
35/* Mail for \fIname\fR is delivered to the alias \fIname\fR, to
36/* destinations in ~\fIname\fR/.\fBforward\fR, to the mailbox owned
37/* by the user \fIname\fR, or it is sent back as undeliverable.
38/*
39/* The system administrator can specify a comma/space separated list
40/* of ~\fR/.\fBforward\fR like files through the \fBforward_path\fR
41/* configuration parameter. Upon delivery, the local delivery agent
42/* tries each pathname in the list until a file is found.
43/*
44/* Delivery via ~/.\fBforward\fR files is done with the privileges
45/* of the recipient.
46/* Thus, ~/.\fBforward\fR like files must be readable by the
47/* recipient, and their parent directory needs to have "execute"
48/* permission for the recipient.
49/*
50/* The \fBforward_path\fR parameter is subject to interpolation of
51/* \fB$user\fR (recipient username), \fB$home\fR (recipient home
52/* directory), \fB$shell\fR (recipient shell), \fB$recipient\fR
53/* (complete recipient address), \fB$extension\fR (recipient address
54/* extension), \fB$domain\fR (recipient domain), \fB$local\fR
55/* (entire recipient address localpart) and
56/* \fB$recipient_delimiter.\fR The forms \fI${name?value}\fR and
57/* \fI${name:value}\fR expand conditionally to \fIvalue\fR when
58/* \fI$name\fR is (is not) defined.
59/* Characters that may have special meaning to the shell or file system
60/* are replaced by underscores. The list of acceptable characters
61/* is specified with the \fBforward_expansion_filter\fR configuration
62/* parameter.
63/*
64/* An alias or ~/.\fBforward\fR file may list any combination of external
65/* commands, destination file names, \fB:include:\fR directives, or
66/* mail addresses.
67/* See \fBaliases\fR(5) for a precise description. Each line in a
68/* user's .\fBforward\fR file has the same syntax as the right-hand part
69/* of an alias.
70/*
71/* When an address is found in its own alias expansion, delivery is
72/* made to the user instead. When a user is listed in the user's own
73/* ~/.\fBforward\fR file, delivery is made to the user's mailbox instead.
74/* An empty ~/.\fBforward\fR file means do not forward mail.
75/*
76/* In order to prevent the mail system from using up unreasonable
77/* amounts of memory, input records read from \fB:include:\fR or from
78/* ~/.\fBforward\fR files are broken up into chunks of length
79/* \fBline_length_limit\fR.
80/*
81/* While expanding aliases, ~/.\fBforward\fR files, and so on, the
82/* program attempts to avoid duplicate deliveries. The
83/* \fBduplicate_filter_limit\fR configuration parameter limits the
84/* number of remembered recipients.
85/* MAIL FORWARDING
86/* .ad
87/* .fi
88/* For the sake of reliability, forwarded mail is re-submitted as
89/* a new message, so that each recipient has a separate on-file
90/* delivery status record.
91/*
92/* In order to stop mail forwarding loops early, the software adds an
93/* optional
94/* \fBDelivered-To:\fR header with the final envelope recipient address. If
95/* mail arrives for a recipient that is already listed in a
96/* \fBDelivered-To:\fR header, the message is bounced.
97/* MAILBOX DELIVERY
98/* .ad
99/* .fi
100/* The default per-user mailbox is a file in the UNIX mail spool
101/* directory (\fB/var/mail/\fIuser\fR or \fB/var/spool/mail/\fIuser\fR);
102/* the location can be specified with the \fBmail_spool_directory\fR
103/* configuration parameter. Specify a name ending in \fB/\fR for
104/* \fBqmail\fR-compatible \fBmaildir\fR delivery.
105/*
106/* Alternatively, the per-user mailbox can be a file in the user's home
107/* directory with a name specified via the \fBhome_mailbox\fR
108/* configuration parameter. Specify a relative path name. Specify a name
109/* ending in \fB/\fR for \fBqmail\fR-compatible \fBmaildir\fR delivery.
110/*
111/* Mailbox delivery can be delegated to an external command specified
112/* with the \fBmailbox_command_maps\fR and \fBmailbox_command\fR
113/* configuration parameters. The command
114/* executes with the privileges of the recipient user (exceptions:
115/* secondary groups are not enabled; in case of delivery as root,
116/* the command executes with the privileges of \fBdefault_privs\fR).
117/*
118/* Mailbox delivery can be delegated to alternative message transports
119/* specified in the \fBmaster.cf\fR file.
120/* The \fBmailbox_transport_maps\fR and \fBmailbox_transport\fR
121/* configuration parameters specify an optional
122/* message transport that is to be used for all local recipients,
123/* regardless of whether they are found in the UNIX passwd database.
124/* The \fBfallback_transport_maps\fR and
125/* \fBfallback_transport\fR parameters specify an optional
126/* message transport
127/* for recipients that are not found in the aliases(5) or UNIX
128/* passwd database.
129/*
130/* In the case of UNIX-style mailbox delivery,
131/* the \fBlocal\fR(8) daemon prepends a "\fBFrom \fIsender time_stamp\fR"
132/* envelope header to each message, prepends an
133/* \fBX-Original-To:\fR header with the recipient address as given to
134/* Postfix, prepends an
135/* optional \fBDelivered-To:\fR header
136/* with the final envelope recipient address, prepends a \fBReturn-Path:\fR
137/* header with the envelope sender address, prepends a \fB>\fR character
138/* to lines beginning with "\fBFrom \fR", and appends an empty line.
139/* The mailbox is locked for exclusive access while delivery is in
140/* progress. In case of problems, an attempt is made to truncate the
141/* mailbox to its original length.
142/*
143/* In the case of \fBmaildir\fR delivery, the local daemon prepends
144/* an optional
145/* \fBDelivered-To:\fR header with the final envelope recipient address,
146/* prepends an
147/* \fBX-Original-To:\fR header with the recipient address as given to
148/* Postfix,
149/* and prepends a \fBReturn-Path:\fR header with the envelope sender
150/* address.
151/* EXTERNAL COMMAND DELIVERY
152/* .ad
153/* .fi
154/* The \fBallow_mail_to_commands\fR configuration parameter restricts
155/* delivery to external commands. The default setting (\fBalias,
156/* forward\fR) forbids command destinations in \fB:include:\fR files.
157/*
158/* Optionally, the process working directory is changed to the path
159/* specified with \fBcommand_execution_directory\fR (Postfix 2.2 and
160/* later). Failure to change directory causes mail to be deferred.
161/*
162/* The \fBcommand_execution_directory\fR parameter value is subject
163/* to interpolation of \fB$user\fR (recipient username),
164/* \fB$home\fR (recipient home directory), \fB$shell\fR
165/* (recipient shell), \fB$recipient\fR (complete recipient
166/* address), \fB$extension\fR (recipient address extension),
167/* \fB$domain\fR (recipient domain), \fB$local\fR (entire
168/* recipient address localpart) and \fB$recipient_delimiter.\fR
169/* The forms \fI${name?value}\fR and \fI${name:value}\fR expand
170/* conditionally to \fIvalue\fR when \fI$name\fR is (is not)
171/* defined. Characters that may have special meaning to the
172/* shell or file system are replaced by underscores. The list
173/* of acceptable characters is specified with the
174/* \fBexecution_directory_expansion_filter\fR configuration
175/* parameter.
176/*
177/* The command is executed directly where possible. Assistance by the
178/* shell (\fB/bin/sh\fR on UNIX systems) is used only when the command
179/* contains shell magic characters, or when the command invokes a shell
180/* built-in command.
181/*
182/* A limited amount of command output (standard output and standard
183/* error) is captured for inclusion with non-delivery status reports.
184/* A command is forcibly terminated if it does not complete within
185/* \fBcommand_time_limit\fR seconds. Command exit status codes are
186/* expected to follow the conventions defined in <\fBsysexits.h\fR>.
187/* Exit status 0 means normal successful completion.
188/*
189/* Postfix version 2.3 and later support RFC 3463-style enhanced
190/* status codes. If a command terminates with a non-zero exit
191/* status, and the command output begins with an enhanced
192/* status code, this status code takes precedence over the
193/* non-zero exit status.
194/*
195/* A limited amount of message context is exported via environment
196/* variables. Characters that may have special meaning to the shell
197/* are replaced by underscores. The list of acceptable characters
198/* is specified with the \fBcommand_expansion_filter\fR configuration
199/* parameter.
200/* .IP \fBSHELL\fR
201/* The recipient user's login shell.
202/* .IP \fBHOME\fR
203/* The recipient user's home directory.
204/* .IP \fBUSER\fR
205/* The bare recipient name.
206/* .IP \fBEXTENSION\fR
207/* The optional recipient address extension.
208/* .IP \fBDOMAIN\fR
209/* The recipient address domain part.
210/* .IP \fBLOGNAME\fR
211/* The bare recipient name.
212/* .IP \fBLOCAL\fR
213/* The entire recipient address localpart (text to the left of the
214/* rightmost @ character).
215/* .IP \fBORIGINAL_RECIPIENT\fR
216/* The entire recipient address, before any address rewriting
217/* or aliasing (Postfix 2.5 and later).
218/* .IP \fBRECIPIENT\fR
219/* The entire recipient address.
220/* .IP \fBSENDER\fR
221/* The entire sender address.
222/* .PP
223/* Additional remote client information is made available via
224/* the following environment variables:
225/* .IP \fBCLIENT_ADDRESS\fR
226/* Remote client network address. Available as of Postfix 2.2.
227/* .IP \fBCLIENT_HELO\fR
228/* Remote client EHLO command parameter. Available as of Postfix 2.2.
229/* .IP \fBCLIENT_HOSTNAME\fR
230/* Remote client hostname. Available as of Postfix 2.2.
231/* .IP \fBCLIENT_PROTOCOL\fR
232/* Remote client protocol. Available as of Postfix 2.2.
233/* .IP \fBSASL_METHOD\fR
234/* SASL authentication method specified in the
235/* remote client AUTH command. Available as of Postfix 2.2.
236/* .IP \fBSASL_SENDER\fR
237/* SASL sender address specified in the remote client MAIL
238/* FROM command. Available as of Postfix 2.2.
239/* .IP \fBSASL_USERNAME\fR
240/* SASL username specified in the remote client AUTH command.
241/* Available as of Postfix 2.2.
242/* .PP
243/* The \fBPATH\fR environment variable is always reset to a
244/* system-dependent default path, and environment variables
245/* whose names are blessed by the \fBexport_environment\fR
246/* configuration parameter are exported unchanged.
247/*
248/* The current working directory is the mail queue directory.
249/*
250/* The \fBlocal\fR(8) daemon prepends a "\fBFrom \fIsender time_stamp\fR"
251/* envelope header to each message, prepends an
252/* \fBX-Original-To:\fR header with the recipient address as given to
253/* Postfix, prepends an
254/* optional \fBDelivered-To:\fR
255/* header with the final recipient envelope address, prepends a
256/* \fBReturn-Path:\fR header with the sender envelope address,
257/* and appends no empty line.
258/* EXTERNAL FILE DELIVERY
259/* .ad
260/* .fi
261/* The delivery format depends on the destination filename syntax.
262/* The default is to use UNIX-style mailbox format. Specify a name
263/* ending in \fB/\fR for \fBqmail\fR-compatible \fBmaildir\fR delivery.
264/*
265/* The \fBallow_mail_to_files\fR configuration parameter restricts
266/* delivery to external files. The default setting (\fBalias,
267/* forward\fR) forbids file destinations in \fB:include:\fR files.
268/*
269/* In the case of UNIX-style mailbox delivery,
270/* the \fBlocal\fR(8) daemon prepends a "\fBFrom \fIsender time_stamp\fR"
271/* envelope header to each message, prepends an
272/* \fBX-Original-To:\fR header with the recipient address as given to
273/* Postfix, prepends an
274/* optional \fBDelivered-To:\fR
275/* header with the final recipient envelope address, prepends a \fB>\fR
276/* character to lines beginning with "\fBFrom \fR", and appends an
277/* empty line.
278/* The envelope sender address is available in the \fBReturn-Path:\fR
279/* header.
280/* When the destination is a regular file, it is locked for exclusive
281/* access while delivery is in progress. In case of problems, an attempt
282/* is made to truncate a regular file to its original length.
283/*
284/* In the case of \fBmaildir\fR delivery, the local daemon prepends
285/* an optional
286/* \fBDelivered-To:\fR header with the final envelope recipient address,
287/* and prepends an
288/* \fBX-Original-To:\fR header with the recipient address as given to
289/* Postfix.
290/* The envelope sender address is available in the \fBReturn-Path:\fR
291/* header.
292/* ADDRESS EXTENSION
293/* .ad
294/* .fi
295/* The optional \fBrecipient_delimiter\fR configuration parameter
296/* specifies how to separate address extensions from local recipient
297/* names.
298/*
299/* For example, with "\fBrecipient_delimiter = +\fR", mail for
300/* \fIname\fR+\fIfoo\fR is delivered to the alias \fIname\fR+\fIfoo\fR
301/* or to the alias \fIname\fR, to the destinations listed in
302/* ~\fIname\fR/.\fBforward\fR+\fIfoo\fR or in ~\fIname\fR/.\fBforward\fR,
303/* to the mailbox owned by the user \fIname\fR, or it is sent back as
304/* undeliverable.
305/* DELIVERY RIGHTS
306/* .ad
307/* .fi
308/* Deliveries to external files and external commands are made with
309/* the rights of the receiving user on whose behalf the delivery is made.
310/* In the absence of a user context, the \fBlocal\fR(8) daemon uses the
311/* owner rights of the \fB:include:\fR file or alias database.
312/* When those files are owned by the superuser, delivery is made with
313/* the rights specified with the \fBdefault_privs\fR configuration
314/* parameter.
315/* STANDARDS
316/* RFC 822 (ARPA Internet Text Messages)
317/* RFC 3463 (Enhanced status codes)
318/* DIAGNOSTICS
319/* Problems and transactions are logged to \fBsyslogd\fR(8).
320/* Corrupted message files are marked so that the queue
321/* manager can move them to the \fBcorrupt\fR queue afterwards.
322/*
323/* Depending on the setting of the \fBnotify_classes\fR parameter,
324/* the postmaster is notified of bounces and of other trouble.
325/* SECURITY
326/* .ad
327/* .fi
328/* The \fBlocal\fR(8) delivery agent needs a dual personality
329/* 1) to access the private Postfix queue and IPC mechanisms,
330/* 2) to impersonate the recipient and deliver to recipient-specified
331/* files or commands. It is therefore security sensitive.
332/*
333/* The \fBlocal\fR(8) delivery agent disallows regular expression
334/* substitution of $1 etc. in \fBalias_maps\fR, because that
335/* would open a security hole.
336/*
337/* The \fBlocal\fR(8) delivery agent will silently ignore
338/* requests to use the \fBproxymap\fR(8) server within
339/* \fBalias_maps\fR. Instead it will open the table directly.
340/* Before Postfix version 2.2, the \fBlocal\fR(8) delivery
341/* agent will terminate with a fatal error.
342/* BUGS
343/* For security reasons, the message delivery status of external commands
344/* or of external files is never checkpointed to file. As a result,
345/* the program may occasionally deliver more than once to a command or
346/* external file. Better safe than sorry.
347/*
348/* Mutually-recursive aliases or ~/.\fBforward\fR files are not detected
349/* early. The resulting mail forwarding loop is broken by the use of the
350/* \fBDelivered-To:\fR message header.
351/* CONFIGURATION PARAMETERS
352/* .ad
353/* .fi
354/* Changes to \fBmain.cf\fR are picked up automatically, as \fBlocal\fR(8)
355/* processes run for only a limited amount of time. Use the command
356/* "\fBpostfix reload\fR" to speed up a change.
357/*
358/* The text below provides only a parameter summary. See
359/* \fBpostconf\fR(5) for more details including examples.
360/* COMPATIBILITY CONTROLS
361/* .ad
362/* .fi
363/* .IP "\fBbiff (yes)\fR"
364/* Whether or not to use the local biff service.
365/* .IP "\fBexpand_owner_alias (no)\fR"
366/* When delivering to an alias "aliasname" that has an "owner-aliasname"
367/* companion alias, set the envelope sender address to the expansion
368/* of the "owner-aliasname" alias.
369/* .IP "\fBowner_request_special (yes)\fR"
370/* Give special treatment to owner-listname and listname-request
371/* address localparts: don't split such addresses when the
372/* recipient_delimiter is set to "-".
373/* .IP "\fBsun_mailtool_compatibility (no)\fR"
374/* Obsolete SUN mailtool compatibility feature.
375/* .PP
376/* Available in Postfix version 2.3 and later:
377/* .IP "\fBfrozen_delivered_to (yes)\fR"
378/* Update the \fBlocal\fR(8) delivery agent's idea of the Delivered-To:
379/* address (see prepend_delivered_header) only once, at the start of
380/* a delivery attempt; do not update the Delivered-To: address while
381/* expanding aliases or .forward files.
382/* .PP
383/* Available in Postfix version 2.5.3 and later:
384/* .IP "\fBstrict_mailbox_ownership (yes)\fR"
385/* Defer delivery when a mailbox file is not owned by its recipient.
386/* .IP "\fBreset_owner_alias (no)\fR"
387/* Reset the \fBlocal\fR(8) delivery agent's idea of the owner-alias
388/* attribute, when delivering mail to a child alias that does not have
389/* its own owner alias.
390/* .PP
391/* Available in Postfix version 3.0 and later:
392/* .IP "\fBlocal_delivery_status_filter ($default_delivery_status_filter)\fR"
393/* Optional filter for the \fBlocal\fR(8) delivery agent to change the
394/* status code or explanatory text of successful or unsuccessful
395/* deliveries.
396/* DELIVERY METHOD CONTROLS
397/* .ad
398/* .fi
399/* The precedence of \fBlocal\fR(8) delivery methods from high to low is:
400/* aliases, .forward files, mailbox_transport_maps,
401/* mailbox_transport, mailbox_command_maps, mailbox_command,
402/* home_mailbox, mail_spool_directory, fallback_transport_maps,
403/* fallback_transport, and luser_relay.
404/* .IP "\fBalias_maps (see 'postconf -d' output)\fR"
405/* The alias databases that are used for \fBlocal\fR(8) delivery.
406/* .IP "\fBforward_path (see 'postconf -d' output)\fR"
407/* The \fBlocal\fR(8) delivery agent search list for finding a .forward
408/* file with user-specified delivery methods.
409/* .IP "\fBmailbox_transport_maps (empty)\fR"
410/* Optional lookup tables with per-recipient message delivery
411/* transports to use for \fBlocal\fR(8) mailbox delivery, whether or not the
412/* recipients are found in the UNIX passwd database.
413/* .IP "\fBmailbox_transport (empty)\fR"
414/* Optional message delivery transport that the \fBlocal\fR(8) delivery
415/* agent should use for mailbox delivery to all local recipients,
416/* whether or not they are found in the UNIX passwd database.
417/* .IP "\fBmailbox_command_maps (empty)\fR"
418/* Optional lookup tables with per-recipient external commands to use
419/* for \fBlocal\fR(8) mailbox delivery.
420/* .IP "\fBmailbox_command (empty)\fR"
421/* Optional external command that the \fBlocal\fR(8) delivery agent should
422/* use for mailbox delivery.
423/* .IP "\fBhome_mailbox (empty)\fR"
424/* Optional pathname of a mailbox file relative to a \fBlocal\fR(8) user's
425/* home directory.
426/* .IP "\fBmail_spool_directory (see 'postconf -d' output)\fR"
427/* The directory where \fBlocal\fR(8) UNIX-style mailboxes are kept.
428/* .IP "\fBfallback_transport_maps (empty)\fR"
429/* Optional lookup tables with per-recipient message delivery
430/* transports for recipients that the \fBlocal\fR(8) delivery agent could
431/* not find in the \fBaliases\fR(5) or UNIX password database.
432/* .IP "\fBfallback_transport (empty)\fR"
433/* Optional message delivery transport that the \fBlocal\fR(8) delivery
434/* agent should use for names that are not found in the \fBaliases\fR(5)
435/* or UNIX password database.
436/* .IP "\fBluser_relay (empty)\fR"
437/* Optional catch-all destination for unknown \fBlocal\fR(8) recipients.
438/* .PP
439/* Available in Postfix version 2.2 and later:
440/* .IP "\fBcommand_execution_directory (empty)\fR"
441/* The \fBlocal\fR(8) delivery agent working directory for delivery to
442/* external command.
443/* MAILBOX LOCKING CONTROLS
444/* .ad
445/* .fi
446/* .IP "\fBdeliver_lock_attempts (20)\fR"
447/* The maximal number of attempts to acquire an exclusive lock on a
448/* mailbox file or \fBbounce\fR(8) logfile.
449/* .IP "\fBdeliver_lock_delay (1s)\fR"
450/* The time between attempts to acquire an exclusive lock on a mailbox
451/* file or \fBbounce\fR(8) logfile.
452/* .IP "\fBstale_lock_time (500s)\fR"
453/* The time after which a stale exclusive mailbox lockfile is removed.
454/* .IP "\fBmailbox_delivery_lock (see 'postconf -d' output)\fR"
455/* How to lock a UNIX-style \fBlocal\fR(8) mailbox before attempting delivery.
456/* RESOURCE AND RATE CONTROLS
457/* .ad
458/* .fi
459/* .IP "\fBcommand_time_limit (1000s)\fR"
460/* Time limit for delivery to external commands.
461/* .IP "\fBduplicate_filter_limit (1000)\fR"
462/* The maximal number of addresses remembered by the address
463/* duplicate filter for \fBaliases\fR(5) or \fBvirtual\fR(5) alias expansion, or
464/* for \fBshowq\fR(8) queue displays.
465/* .IP "\fBlocal_destination_concurrency_limit (2)\fR"
466/* The maximal number of parallel deliveries via the local mail
467/* delivery transport to the same recipient (when
468/* "local_destination_recipient_limit = 1") or the maximal number of
469/* parallel deliveries to the same local domain (when
470/* "local_destination_recipient_limit > 1").
471/* .IP "\fBlocal_destination_recipient_limit (1)\fR"
472/* The maximal number of recipients per message delivery via the
473/* local mail delivery transport.
474/* .IP "\fBmailbox_size_limit (51200000)\fR"
475/* The maximal size of any \fBlocal\fR(8) individual mailbox or maildir
476/* file, or zero (no limit).
477/* SECURITY CONTROLS
478/* .ad
479/* .fi
480/* .IP "\fBallow_mail_to_commands (alias, forward)\fR"
481/* Restrict \fBlocal\fR(8) mail delivery to external commands.
482/* .IP "\fBallow_mail_to_files (alias, forward)\fR"
483/* Restrict \fBlocal\fR(8) mail delivery to external files.
484/* .IP "\fBcommand_expansion_filter (see 'postconf -d' output)\fR"
485/* Restrict the characters that the \fBlocal\fR(8) delivery agent allows in
486/* $name expansions of $mailbox_command and $command_execution_directory.
487/* .IP "\fBdefault_privs (nobody)\fR"
488/* The default rights used by the \fBlocal\fR(8) delivery agent for delivery
489/* to external file or command.
490/* .IP "\fBforward_expansion_filter (see 'postconf -d' output)\fR"
491/* Restrict the characters that the \fBlocal\fR(8) delivery agent allows in
492/* $name expansions of $forward_path.
493/* .PP
494/* Available in Postfix version 2.2 and later:
495/* .IP "\fBexecution_directory_expansion_filter (see 'postconf -d' output)\fR"
496/* Restrict the characters that the \fBlocal\fR(8) delivery agent allows
497/* in $name expansions of $command_execution_directory.
498/* .PP
499/* Available in Postfix version 2.5.3 and later:
500/* .IP "\fBstrict_mailbox_ownership (yes)\fR"
501/* Defer delivery when a mailbox file is not owned by its recipient.
502/* MISCELLANEOUS CONTROLS
503/* .ad
504/* .fi
505/* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
506/* The default location of the Postfix main.cf and master.cf
507/* configuration files.
508/* .IP "\fBdaemon_timeout (18000s)\fR"
509/* How much time a Postfix daemon process may take to handle a
510/* request before it is terminated by a built-in watchdog timer.
511/* .IP "\fBdelay_logging_resolution_limit (2)\fR"
512/* The maximal number of digits after the decimal point when logging
513/* sub-second delay values.
514/* .IP "\fBexport_environment (see 'postconf -d' output)\fR"
515/* The list of environment variables that a Postfix process will export
516/* to non-Postfix processes.
517/* .IP "\fBipc_timeout (3600s)\fR"
518/* The time limit for sending or receiving information over an internal
519/* communication channel.
520/* .IP "\fBlocal_command_shell (empty)\fR"
521/* Optional shell program for \fBlocal\fR(8) delivery to non-Postfix command.
522/* .IP "\fBmax_idle (100s)\fR"
523/* The maximum amount of time that an idle Postfix daemon process waits
524/* for an incoming connection before terminating voluntarily.
525/* .IP "\fBmax_use (100)\fR"
526/* The maximal number of incoming connections that a Postfix daemon
527/* process will service before terminating voluntarily.
528/* .IP "\fBprepend_delivered_header (command, file, forward)\fR"
529/* The message delivery contexts where the Postfix \fBlocal\fR(8) delivery
530/* agent prepends a Delivered-To: message header with the address
531/* that the mail was delivered to.
532/* .IP "\fBprocess_id (read-only)\fR"
533/* The process ID of a Postfix command or daemon process.
534/* .IP "\fBprocess_name (read-only)\fR"
535/* The process name of a Postfix command or daemon process.
536/* .IP "\fBpropagate_unmatched_extensions (canonical, virtual)\fR"
537/* What address lookup tables copy an address extension from the lookup
538/* key to the lookup result.
539/* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
540/* The location of the Postfix top-level queue directory.
541/* .IP "\fBrecipient_delimiter (empty)\fR"
542/* The set of characters that can separate a user name from its
543/* extension (example: user+foo), or a .forward file name from its
544/* extension (example: .forward+foo).
545/* .IP "\fBrequire_home_directory (no)\fR"
546/* Require that a \fBlocal\fR(8) recipient's home directory exists
547/* before mail delivery is attempted.
548/* .IP "\fBsyslog_facility (mail)\fR"
549/* The syslog facility of Postfix logging.
550/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
551/* The mail system name that is prepended to the process name in syslog
552/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
553/* FILES
554/* The following are examples; details differ between systems.
555/* $HOME/.forward, per-user aliasing
556/* /etc/aliases, system-wide alias database
557/* /var/spool/mail, system mailboxes
558/* SEE ALSO
559/* qmgr(8), queue manager
560/* bounce(8), delivery status reports
561/* newaliases(1), create/update alias database
562/* postalias(1), create/update alias database
563/* aliases(5), format of alias database
564/* postconf(5), configuration parameters
565/* master(5), generic daemon options
566/* syslogd(8), system logging
567/* LICENSE
568/* .ad
569/* .fi
570/* The Secure Mailer license must be distributed with this software.
571/* HISTORY
572/* .ad
573/* .fi
574/* The \fBDelivered-To:\fR message header appears in the \fBqmail\fR
575/* system by Daniel Bernstein.
576/*
577/* The \fImaildir\fR structure appears in the \fBqmail\fR system
578/* by Daniel Bernstein.
579/* AUTHOR(S)
580/* Wietse Venema
581/* IBM T.J. Watson Research
582/* P.O. Box 704
583/* Yorktown Heights, NY 10598, USA
584/*
585/* Wietse Venema
586/* Google, Inc.
587/* 111 8th Avenue
588/* New York, NY 10011, USA
589/*--*/
590
591/* System library. */
592
593#include <sys_defs.h>
594#include <unistd.h>
595#include <stdlib.h>
596#include <string.h>
597#include <fcntl.h>
598#ifdef USE_PATHS_H
599#include <paths.h>
600#endif
601
602/* Utility library. */
603
604#include <msg.h>
605#include <mymalloc.h>
606#include <htable.h>
607#include <vstring.h>
608#include <vstream.h>
609#include <iostuff.h>
610#include <name_mask.h>
611#include <set_eugid.h>
612#include <dict.h>
613
614/* Global library. */
615
616#include <recipient_list.h>
617#include <deliver_request.h>
618#include <deliver_completed.h>
619#include <mail_params.h>
620#include <mail_addr.h>
621#include <mail_conf.h>
622#include <been_here.h>
623#include <mail_params.h>
624#include <mail_version.h>
625#include <ext_prop.h>
626#include <maps.h>
627#include <flush_clnt.h>
628
629/* Single server skeleton. */
630
631#include <mail_server.h>
632
633/* Application-specific. */
634
635#include "local.h"
636
637 /*
638 * Tunable parameters.
639 */
640char *var_allow_commands;
641char *var_allow_files;
642char *var_alias_maps;
643int var_dup_filter_limit;
644int var_command_maxtime; /* You can now leave this here. */
645char *var_home_mailbox;
646char *var_mailbox_command;
647char *var_mailbox_cmd_maps;
648char *var_rcpt_fdelim;
649char *var_local_cmd_shell;
650char *var_luser_relay;
651int var_biff;
652char *var_mail_spool_dir;
653char *var_mailbox_transport;
654char *var_mbox_transp_maps;
655char *var_fallback_transport;
656char *var_fbck_transp_maps;
657char *var_exec_directory;
658char *var_exec_exp_filter;
659char *var_forward_path;
660char *var_cmd_exp_filter;
661char *var_fwd_exp_filter;
662char *var_prop_extension;
663int var_exp_own_alias;
664char *var_deliver_hdr;
665int var_stat_home_dir;
666int var_mailtool_compat;
667char *var_mailbox_lock;
668long var_mailbox_limit;
669bool var_frozen_delivered;
670bool var_reset_owner_attr;
671bool var_strict_mbox_owner;
672
673int local_cmd_deliver_mask;
674int local_file_deliver_mask;
675int local_ext_prop_mask;
676int local_deliver_hdr_mask;
677int local_mbox_lock_mask;
678MAPS *alias_maps;
679char *var_local_dsn_filter;
680
681/* local_deliver - deliver message with extreme prejudice */
682
683static int local_deliver(DELIVER_REQUEST *rqst, char *service)
684{
685 const char *myname = "local_deliver";
686 RECIPIENT *rcpt_end = rqst->rcpt_list.info + rqst->rcpt_list.len;
687 RECIPIENT *rcpt;
688 int rcpt_stat;
689 int msg_stat;
690 LOCAL_STATE state;
691 USER_ATTR usr_attr;
692
693 if (msg_verbose)
694 msg_info("local_deliver: %s from %s", rqst->queue_id, rqst->sender);
695
696 /*
697 * Initialize the delivery attributes that are not recipient specific.
698 * While messages are being delivered and while aliases or forward files
699 * are being expanded, this attribute list is being changed constantly.
700 * For this reason, the list is passed on by value (except when it is
701 * being initialized :-), so that there is no need to undo attribute
702 * changes made by lower-level routines. The alias/include/forward
703 * expansion attribute list is part of a tree with self and parent
704 * references (see the EXPAND_ATTR definitions). The user-specific
705 * attributes are security sensitive, and are therefore kept separate.
706 * All this results in a noticeable level of clumsiness, but passing
707 * things around by value gives good protection against accidental change
708 * by subroutines.
709 */
710 state.level = 0;
711 deliver_attr_init(&state.msg_attr);
712 state.msg_attr.queue_name = rqst->queue_name;
713 state.msg_attr.queue_id = rqst->queue_id;
714 state.msg_attr.fp = rqst->fp;
715 state.msg_attr.offset = rqst->data_offset;
716 state.msg_attr.encoding = rqst->encoding;
717 state.msg_attr.smtputf8 = rqst->smtputf8;
718 state.msg_attr.sender = rqst->sender;
719 state.msg_attr.dsn_envid = rqst->dsn_envid;
720 state.msg_attr.dsn_ret = rqst->dsn_ret;
721 state.msg_attr.relay = service;
722 state.msg_attr.msg_stats = rqst->msg_stats;
723 state.msg_attr.request = rqst;
724 RESET_OWNER_ATTR(state.msg_attr, state.level);
725 RESET_USER_ATTR(usr_attr, state.level);
726 state.loop_info = delivered_hdr_init(rqst->fp, rqst->data_offset,
727 FOLD_ADDR_ALL);
728 state.request = rqst;
729
730 /*
731 * Iterate over each recipient named in the delivery request. When the
732 * mail delivery status for a given recipient is definite (i.e. bounced
733 * or delivered), update the message queue file and cross off the
734 * recipient. Update the per-message delivery status.
735 */
736 for (msg_stat = 0, rcpt = rqst->rcpt_list.info; rcpt < rcpt_end; rcpt++) {
737 state.dup_filter = been_here_init(var_dup_filter_limit, BH_FLAG_FOLD);
738 forward_init();
739 state.msg_attr.rcpt = *rcpt;
740 rcpt_stat = deliver_recipient(state, usr_attr);
741 rcpt_stat |= forward_finish(rqst, state.msg_attr, rcpt_stat);
742 if (rcpt_stat == 0 && (rqst->flags & DEL_REQ_FLAG_SUCCESS))
743 deliver_completed(state.msg_attr.fp, rcpt->offset);
744 been_here_free(state.dup_filter);
745 msg_stat |= rcpt_stat;
746 }
747
748 /*
749 * Clean up.
750 */
751 delivered_hdr_free(state.loop_info);
752 deliver_attr_free(&state.msg_attr);
753
754 return (msg_stat);
755}
756
757/* local_service - perform service for client */
758
759static void local_service(VSTREAM *stream, char *service, char **argv)
760{
761 DELIVER_REQUEST *request;
762 int status;
763
764 /*
765 * Sanity check. This service takes no command-line arguments.
766 */
767 if (argv[0])
768 msg_fatal("unexpected command-line argument: %s", argv[0]);
769
770 /*
771 * This routine runs whenever a client connects to the UNIX-domain socket
772 * that is dedicated to local mail delivery service. What we see below is
773 * a little protocol to (1) tell the client that we are ready, (2) read a
774 * delivery request from the client, and (3) report the completion status
775 * of that request.
776 */
777 if ((request = deliver_request_read(stream)) != 0) {
778 status = local_deliver(request, service);
779 deliver_request_done(stream, request, status);
780 }
781}
782
783/* local_mask_init - initialize delivery restrictions */
784
785static void local_mask_init(void)
786{
787 static const NAME_MASK file_mask[] = {
788 "alias", EXPAND_TYPE_ALIAS,
789 "forward", EXPAND_TYPE_FWD,
790 "include", EXPAND_TYPE_INCL,
791 0,
792 };
793 static const NAME_MASK command_mask[] = {
794 "alias", EXPAND_TYPE_ALIAS,
795 "forward", EXPAND_TYPE_FWD,
796 "include", EXPAND_TYPE_INCL,
797 0,
798 };
799 static const NAME_MASK deliver_mask[] = {
800 "command", DELIVER_HDR_CMD,
801 "file", DELIVER_HDR_FILE,
802 "forward", DELIVER_HDR_FWD,
803 0,
804 };
805
806 local_file_deliver_mask = name_mask(VAR_ALLOW_FILES, file_mask,
807 var_allow_files);
808 local_cmd_deliver_mask = name_mask(VAR_ALLOW_COMMANDS, command_mask,
809 var_allow_commands);
810 local_ext_prop_mask =
811 ext_prop_mask(VAR_PROP_EXTENSION, var_prop_extension);
812 local_deliver_hdr_mask = name_mask(VAR_DELIVER_HDR, deliver_mask,
813 var_deliver_hdr);
814 local_mbox_lock_mask = mbox_lock_mask(var_mailbox_lock);
815 if (var_mailtool_compat) {
816 msg_warn("%s: deprecated parameter, use \"%s = dotlock\" instead",
817 VAR_MAILTOOL_COMPAT, VAR_MAILBOX_LOCK);
818 local_mbox_lock_mask &= MBOX_DOT_LOCK;
819 }
820 if (local_mbox_lock_mask == 0)
821 msg_fatal("parameter %s specifies no applicable mailbox locking method",
822 VAR_MAILBOX_LOCK);
823}
824
825/* pre_accept - see if tables have changed */
826
827static void pre_accept(char *unused_name, char **unused_argv)
828{
829 const char *table;
830
831 if ((table = dict_changed_name()) != 0) {
832 msg_info("table %s has changed -- restarting", table);
833 exit(0);
834 }
835}
836
837/* post_init - post-jail initialization */
838
839static void post_init(char *unused_name, char **unused_argv)
840{
841
842 /*
843 * Drop privileges most of the time, and set up delivery restrictions.
844 */
845 set_eugid(var_owner_uid, var_owner_gid);
846 local_mask_init();
847}
848
849/* pre_init - pre-jail initialization */
850
851static void pre_init(char *unused_name, char **unused_argv)
852{
853
854 /*
855 * Reset the file size limit from the message size limit to the mailbox
856 * size limit. XXX This still isn't accurate because the file size limit
857 * also affects delivery to command.
858 *
859 * A file size limit protects the machine against runaway software errors.
860 * It is not suitable to enforce mail quota, because users can get around
861 * mail quota by delivering to /file/name or to |command.
862 *
863 * We can't have mailbox size limit smaller than the message size limit,
864 * because that prohibits the delivery agent from updating the queue
865 * file.
866 */
867 if (var_mailbox_limit) {
868 if (var_mailbox_limit < var_message_limit || var_message_limit == 0)
869 msg_fatal("main.cf configuration error: %s is smaller than %s",
870 VAR_MAILBOX_LIMIT, VAR_MESSAGE_LIMIT);
871 set_file_limit(var_mailbox_limit);
872 }
873 alias_maps = maps_create("aliases", var_alias_maps,
874 DICT_FLAG_LOCK | DICT_FLAG_PARANOID
875 | DICT_FLAG_FOLD_FIX
876 | DICT_FLAG_UTF8_REQUEST);
877
878 flush_init();
879}
880
881MAIL_VERSION_STAMP_DECLARE;
882
883/* main - pass control to the single-threaded skeleton */
884
885int main(int argc, char **argv)
886{
887 static const CONFIG_TIME_TABLE time_table[] = {
888 VAR_COMMAND_MAXTIME, DEF_COMMAND_MAXTIME, &var_command_maxtime, 1, 0,
889 0,
890 };
891 static const CONFIG_INT_TABLE int_table[] = {
892 VAR_DUP_FILTER_LIMIT, DEF_DUP_FILTER_LIMIT, &var_dup_filter_limit, 0, 0,
893 0,
894 };
895 static const CONFIG_LONG_TABLE long_table[] = {
896 VAR_MAILBOX_LIMIT, DEF_MAILBOX_LIMIT, &var_mailbox_limit, 0, 0,
897 0,
898 };
899 static const CONFIG_STR_TABLE str_table[] = {
900 VAR_ALIAS_MAPS, DEF_ALIAS_MAPS, &var_alias_maps, 0, 0,
901 VAR_HOME_MAILBOX, DEF_HOME_MAILBOX, &var_home_mailbox, 0, 0,
902 VAR_ALLOW_COMMANDS, DEF_ALLOW_COMMANDS, &var_allow_commands, 0, 0,
903 VAR_ALLOW_FILES, DEF_ALLOW_FILES, &var_allow_files, 0, 0,
904 VAR_LOCAL_CMD_SHELL, DEF_LOCAL_CMD_SHELL, &var_local_cmd_shell, 0, 0,
905 VAR_MAIL_SPOOL_DIR, DEF_MAIL_SPOOL_DIR, &var_mail_spool_dir, 0, 0,
906 VAR_MAILBOX_TRANSP, DEF_MAILBOX_TRANSP, &var_mailbox_transport, 0, 0,
907 VAR_MBOX_TRANSP_MAPS, DEF_MBOX_TRANSP_MAPS, &var_mbox_transp_maps, 0, 0,
908 VAR_FALLBACK_TRANSP, DEF_FALLBACK_TRANSP, &var_fallback_transport, 0, 0,
909 VAR_FBCK_TRANSP_MAPS, DEF_FBCK_TRANSP_MAPS, &var_fbck_transp_maps, 0, 0,
910 VAR_CMD_EXP_FILTER, DEF_CMD_EXP_FILTER, &var_cmd_exp_filter, 1, 0,
911 VAR_FWD_EXP_FILTER, DEF_FWD_EXP_FILTER, &var_fwd_exp_filter, 1, 0,
912 VAR_EXEC_EXP_FILTER, DEF_EXEC_EXP_FILTER, &var_exec_exp_filter, 1, 0,
913 VAR_PROP_EXTENSION, DEF_PROP_EXTENSION, &var_prop_extension, 0, 0,
914 VAR_DELIVER_HDR, DEF_DELIVER_HDR, &var_deliver_hdr, 0, 0,
915 VAR_MAILBOX_LOCK, DEF_MAILBOX_LOCK, &var_mailbox_lock, 1, 0,
916 VAR_MAILBOX_CMD_MAPS, DEF_MAILBOX_CMD_MAPS, &var_mailbox_cmd_maps, 0, 0,
917 VAR_LOCAL_DSN_FILTER, DEF_LOCAL_DSN_FILTER, &var_local_dsn_filter, 0, 0,
918 0,
919 };
920 static const CONFIG_BOOL_TABLE bool_table[] = {
921 VAR_BIFF, DEF_BIFF, &var_biff,
922 VAR_EXP_OWN_ALIAS, DEF_EXP_OWN_ALIAS, &var_exp_own_alias,
923 VAR_STAT_HOME_DIR, DEF_STAT_HOME_DIR, &var_stat_home_dir,
924 VAR_MAILTOOL_COMPAT, DEF_MAILTOOL_COMPAT, &var_mailtool_compat,
925 VAR_FROZEN_DELIVERED, DEF_FROZEN_DELIVERED, &var_frozen_delivered,
926 VAR_RESET_OWNER_ATTR, DEF_RESET_OWNER_ATTR, &var_reset_owner_attr,
927 VAR_STRICT_MBOX_OWNER, DEF_STRICT_MBOX_OWNER, &var_strict_mbox_owner,
928 0,
929 };
930
931 /* Suppress $name expansion upon loading. */
932 static const CONFIG_RAW_TABLE raw_table[] = {
933 VAR_EXEC_DIRECTORY, DEF_EXEC_DIRECTORY, &var_exec_directory, 0, 0,
934 VAR_FORWARD_PATH, DEF_FORWARD_PATH, &var_forward_path, 0, 0,
935 VAR_MAILBOX_COMMAND, DEF_MAILBOX_COMMAND, &var_mailbox_command, 0, 0,
936 VAR_LUSER_RELAY, DEF_LUSER_RELAY, &var_luser_relay, 0, 0,
937 0,
938 };
939
940 /*
941 * Fingerprint executables and core dumps.
942 */
943 MAIL_VERSION_STAMP_ALLOCATE;
944
945 single_server_main(argc, argv, local_service,
946 CA_MAIL_SERVER_INT_TABLE(int_table),
947 CA_MAIL_SERVER_LONG_TABLE(long_table),
948 CA_MAIL_SERVER_STR_TABLE(str_table),
949 CA_MAIL_SERVER_RAW_TABLE(raw_table),
950 CA_MAIL_SERVER_BOOL_TABLE(bool_table),
951 CA_MAIL_SERVER_TIME_TABLE(time_table),
952 CA_MAIL_SERVER_PRE_INIT(pre_init),
953 CA_MAIL_SERVER_POST_INIT(post_init),
954 CA_MAIL_SERVER_PRE_ACCEPT(pre_accept),
955 CA_MAIL_SERVER_PRIVILEGED,
956 CA_MAIL_SERVER_BOUNCE_INIT(VAR_LOCAL_DSN_FILTER,
957 &var_local_dsn_filter),
958 0);
959}
960